Many times, the app you’re shipping on Replicated + Kubernetes will need access to the Kubernetes API to look up your applications pods or to manage cluster resources.
Replicated creates a Kubernetes Namespace for your application to run in. In most clusters, that means that Kubernetes will require you to explicitly configure Kubernetes RBAC for that namespace before your workloads can access the Kubernetes API.
The simplest way to do this is to grant the cluster-admin role to the default service account in your namespace. This can be accomplished by adding the following to your Replicated YAML.
---
# kind: scheduler-kubernetes
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: grant-cluster-admin
subjects:
- kind: ServiceAccount
name: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
To harden this configuration you may want to reduce the permissions granted. The service account default is automatically mounted into all your workloads, and cluster-admin is very permissive. You can review alternative options in the Kubernetes RBAC docs